diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 17bfadb815..1d7233ea4d 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -4,6 +4,7 @@ Changelog 2.15.2 (xx.xx.xxxx) - IN DEVELOPMENT ~~~~~~~~~~~~~~~~~~~ + * Fix: CVE-2022-21683 - Comment reply notifications sent to incorrect users (Ihor Marhitych, Jacob Topp-Mugglestone) * Fix: Transform operations in Filter.run() when image has been re-oriented (Justin Michalicek) * Fix: Remove extraneous header action buttons when creating or editing workflows and tasks (Matt Westcott) * Fix: Ensure that bulk publish actions pick up the latest draft revision (Matt Westcott) diff --git a/docs/releases/2.15.2.rst b/docs/releases/2.15.2.rst index 40db8ba154..6f7bd6a567 100644 --- a/docs/releases/2.15.2.rst +++ b/docs/releases/2.15.2.rst @@ -10,6 +10,13 @@ Wagtail 2.15.2 release notes - IN DEVELOPMENT What's new ========== +CVE-2022-21683: Comment reply notifications sent to incorrect users +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This release addresses an information disclosure issue in Wagtail's commenting feature. Previously, when notifications for new replies in comment threads were sent, they were sent to all users who had replied or commented anywhere on the site, rather than only in the relevant threads. This meant that a user could listen in to new comment replies on pages they did not have editing access to, as long as they had left a comment or reply somewhere on the site. + +Many thanks to Ihor Marhitych for reporting this issue. For further details, please see `the CVE-2022-21683 security advisory `_. + Bug fixes ~~~~~~~~~